HostedDB - Dedicated UNIX Servers

intrusion_28 ICSA, Inc. For more information, call 888-396-8348                 28 An Introduction to Intrusion Detection and Assessment information generated in that host or the signa- ture against which the information is matched. The network-level analysis can take the results from the host-level analysis and use it to detect signs of network-wide attack or suspicious behav- ior without incurring as heavy a network load. Furthermore, in larger networks, this sort of approach can be applied hierarchically. That is, groups of hosts can report to a network analysis engine, which in turn reports its results to another analysis engine that collects results from a number of other network analysis engines and so on. This hierarchical structure lets intrusion-detection products succeed even in larger organizations. Types of Analysis Signature analysis Signatures are patterns corresponding to known attacks or misuses of systems. They may be simple (character string matching looking for a single term or command) or complex (security state transition written as a formal mathematical expression). In general a signature can be concerned with a pro- cess (the execution of a particular command) or an outcome (the acquisition of a root shell.) Signature analysis is pattern matching of system settings and user activities against a database of known attacks. Most commercial intrusion detec- tion products perform signature analysis against a vendor-supplied database of known attacks. Ad- ditional signatures specified by the customer can also be added as part of the intrusion detection system configuration process. Most vendors also include periodic updates of signature databases as part of software maintenance agreements. One advantage of signature analysis is that it allows sensors to collect a more tightly targeted set of system data, thereby reducing system overhead. Unless signature databases are unusually large (say hundreds of thousands or millions of complex signatures), signature analysis is usually more effi- cient than statistical analysis due to the absence of floating point computations. Statistical analysis Statistical analysis finds deviations from normal patterns of behavior. This feature, common in research settings, is found in few commercial intrusion detection products. Statistical profiles are created for system objects (e.g., users, files, directories, devices, etc.) by measuring various attributes of normal use (e.g., number of accesses, number of times an operation fails, time of day, etc.). Mean frequencies and measures of variabil- ity are calculated for each type of normal usage. Possible intrusions are signaled when observed values fall outside the normal range. For example, statistical analysis might signal an unusual event if an accountant who had never previously logged into the network outside the hours of 8 AM to 6 PM were to access the system at 2 AM. The advantages of statistical analysis are: •  The system may detect heretofore unknown attacks; •  Statistical methods may allow one to detect more complex attacks, such as those that occur over extended periods. Disadvantages of statistical analysis (at this time) are: •  It is relatively easy for an adversary to trick the detector into accepting attack activity as normal by gradually varying behavior over time; •  The possibility of false alarms is much greater in statistical detectors; •  Statistical detectors do not deal well with changes in user activities (e.g., when the man-